9:58 a.m.
Hi,
I configured a OIDC identity provider by selecting the OpenID Connect
v1.0 identity
provider from the drop-down box on the top right corner of the identity
providers table in Keycloak's Admin Console. During the configuration
process, I also configure "Logout Url" for the IDP logout url.
When I try to logout to the external IDP, the browser is redirected to the
external IDP to perform the logout. I can see some URL as follows:
https://*keycloakdev.xxxxxxx.com <http://keycloakdev.xxxxxxx.com>*
/auth/realms/*Internal*/protocol/openid-connect/logout?*state=*
a4efbda0-8b98-4169-a369-59e92bc3fac5&*id_token_hint=*
eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJjMDY0NWJmZC0yZDhlLTQ1MjQtOWQ5Mi05OGViMDk5MDgxMzUiLCJleHAiOjE0NTgxNDg1ODksIm5iZiI6MCwiaWF0IjoxNDU4MTQ4NTg4LCJpc3MiOiJodHRwczovL2tleWNsb2FrZGV2Lm1hc2VyZ3kuY29tL2F1dGgvcmVhbG1zL0ludGVybmFsIiwiYXVkIjoiZXh0ZXJuYWxfcmVhbG1fYWNjZXNzXzIiLCJzdWIiOiI2ZmNmMDMwMi1jNzE0LTRiZDUtYjdlZS02MjMyODU2YTBlZWUiLCJ0eXAiOiJJRCIsImF6cCI6ImV4dGVybmFsX3JlYWxtX2FjY2Vzc18yIiwic2Vzc2lvbl9zdGF0ZSI6ImY1MWM3MzFkLTJkZWItNGRhZi04YWM3LTQyZDdkYjc1Zjc5YyIsIm5hbWUiOiJYaWFvIE1hIiwicHJlZmVycmVkX3VzZXJuYW1lIjoieG1hIiwiZ2l2ZW5fbmFtZSI6IlhpYW8iLCJHUk9VUFNfRlJPTV9JTlRFUk5BTF9SRUFMTSI6WyIvTk9DIiwiL2xhbmRzY2FwZV9nZW5lcmFsX3VzZXIiXSwiZmFtaWx5X25hbWUiOiJNYSIsImVtYWlsIjoieGlhby5tYUBtYXNlcmd5LmNvbSJ9.BIneKvUpSPq4c32dV5JclWPjtbA0U55u8Pf_C7KDokNMMBKCERHnzIS8-9csBxh8NLJbB_PmApMY0raAz-YPOcwyvmsOJ23bSrDR3Oa2HZ5JEGzs9IVFyhzQXJuDBCBWcPZl-eNxnxdGkNJBd7Cx03iWsUVUE9NeJYPjeZ5s8rmDtaX38V6JywugWRby5rfSZDLpu7xoGj6a_ZSZEXUfktwCMHS0Jnz_1M778Bmka0TcD1bvIpuqVl4-YQf2P3UZWgxqFQoNDVegZUNuekqUQyJiuRjlQuhITg5tDYfy2DbhkqVsN2gR7mUp21WNx2S5pG5Hb9cXajIVGR6SmW4qKA
:
"keycloakdev.xxxxxxx.com" is where the externalIDP is located.
"Internal"
is the name of the realm. The parameters "state" and "id_token_hint"
are
appended to the endpoint logout URL automatically during the logout
process.
However, this process failed because I got "Session Not Active" error in
the UI. After some investigations, I found this "Session Not Active" error
seems to be related to the value of Realm Setting —> Tokens —> Access Token
Lifespan I configured. The default value is 5 minutes, if I trigger the
logout within 5 minutes, I can logout to the external IDP successfully. If
I do the logout after 5 minutes, I will get this ""Session Not Active"
error. Is this the expected behavior? Do I have to bump up the value
of "Access
Token Lifespan" to get a longer session for the logout purpose?
Thanks a lot for the help!
Xiao
9:26 a.m.
I think this is a bug. We probably don't refresh the token that is
obtained by the "child" IDP.
https://issues.jboss.org/browse/KEYCLOAK-2691
On 3/20/2016 10:58 AM, Xiao Ma wrote:
Hi,
I configured a OIDC identity provider by selecting the |OpenID Connect
v1.0| identity provider from the drop-down box on the top right corner
of the identity providers table in Keycloak's Admin Console. During
the configuration process, I also configure "Logout Url" for the IDP
logout url.
When I try to logout to the external IDP, the browser is redirected to
the external IDP to perform the logout. I can see some URL as follows:
https://*keycloakdev.xxxxxxx.com
<http://keycloakdev.xxxxxxx.com>*/auth/realms/*Internal*/protocol/openi...:
"keycloakdev.xxxxxxx.com <http://keycloakdev.xxxxxxx.com>" is where
the externalIDP is located. "Internal" is the name of the realm. The
parameters "state" and "id_token_hint" are appended to the endpoint
logout URL automatically during the logout process.
However, this process failed because I got "Session Not Active" error
in the UI. After some investigations, I found this "Session Not
Active" error seems to be related to the value of Realm Setting —>
Tokens —> Access Token Lifespan I configured. The default value is 5
minutes, if I trigger the logout within 5 minutes, I can logout to the
external IDP successfully. If I do the logout after 5 minutes, I will
get this ""Session Not Active" error. Is this the expected behavior?
Do I have to bump up the value of "Access Token Lifespan" to get a
longer session for the logout purpose?
Thanks a lot for the help!
Xiao
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10:25 a.m.
Thank you, Bill! I am wondering what is our rough estimate on when are
going to release 1.9.2.Final.
Best Regards,
Xiao
On Mon, Mar 21, 2016 at 10:26 AM, Bill Burke <bburke(a)redhat.com> wrote:
I think this is a bug. We probably don't refresh the token that
is
obtained by the "child" IDP.
https://issues.jboss.org/browse/KEYCLOAK-2691
On 3/20/2016 10:58 AM, Xiao Ma wrote:
Hi,
I configured a OIDC identity provider by selecting the OpenID Connect v1.0 identity
provider from the drop-down box on the top right corner of the identity
providers table in Keycloak's Admin Console. During the configuration
process, I also configure "Logout Url" for the IDP logout url.
When I try to logout to the external IDP, the browser is redirected to the
external IDP to perform the logout. I can see some URL as follows:
https://*keycloakdev.xxxxxxx.com <http://keycloakdev.xxxxxxx.com>*
/auth/realms/*Internal*/protocol/openid-connect/logout?*state=*
a4efbda0-8b98-4169-a369-59e92bc3fac5&*id_token_hint=*eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJjMDY0NWJmZC0yZDhlLTQ1MjQtOWQ5Mi05OGViMDk5MDgxMzUiLCJleHAiOjE0NTgxNDg1ODksIm5iZiI6MCwiaWF0IjoxNDU4MTQ4NTg4LCJpc3MiOiJodHRwczovL2tleWNsb2FrZGV2Lm1hc2VyZ3kuY29tL2F1dGgvcmVhbG1zL0ludGVybmFsIiwiYXVkIjoiZXh0ZXJuYWxfcmVhbG1fYWNjZXNzXzIiLCJzdWIiOiI2ZmNmMDMwMi1jNzE0LTRiZDUtYjdlZS02MjMyODU2YTBlZWUiLCJ0eXAiOiJJRCIsImF6cCI6ImV4dGVybmFsX3JlYWxtX2FjY2Vzc18yIiwic2Vzc2lvbl9zdGF0ZSI6ImY1MWM3MzFkLTJkZWItNGRhZi04YWM3LTQyZDdkYjc1Zjc5YyIsIm5hbWUiOiJYaWFvIE1hIiwicHJlZmVycmVkX3VzZXJuYW1lIjoieG1hIiwiZ2l2ZW5fbmFtZSI6IlhpYW8iLCJHUk9VUFNfRlJPTV9JTlRFUk5BTF9SRUFMTSI6WyIvTk9DIiwiL2xhbmRzY2FwZV9nZW5lcmFsX3VzZXIiXSwiZmFtaWx5X25hbWUiOiJNYSIsImVtYWlsIjoieGlhby5tYUBtYXNlcmd5LmNvbSJ9.BIneKvUpSPq4c32dV5JclWPjtbA0U55u8Pf_C7KDokNMMBKCERHnzIS8-9csBxh8NLJbB_PmApMY0!
raAz-YPO
cwyvmsOJ23bSrDR3Oa2HZ5JEGzs9IVFyhzQXJuDBCBWcPZl-eNxnxdGkNJBd7Cx03iWsUVUE9NeJYPjeZ5s8rmDtaX38V6JywugWRby5rfSZDLpu7xoGj6a_ZSZEXUfktwCMHS0Jnz_1M778Bmka0TcD1bvIpuqVl4-YQf2P3UZWgxqFQoNDVegZUNuekqUQyJiuRjlQuhITg5tDYfy2DbhkqVsN2gR7mUp21WNx2S5pG5Hb9cXajIVGR6SmW4qKA
:
"keycloakdev.xxxxxxx.com" is where the externalIDP is located.
"Internal"
is the name of the realm. The parameters "state" and "id_token_hint"
are
appended to the endpoint logout URL automatically during the logout
process.
However, this process failed because I got "Session Not Active" error in
the UI. After some investigations, I found this "Session Not Active" error
seems to be related to the value of Realm Setting —> Tokens —> Access
Token Lifespan I configured. The default value is 5 minutes, if I trigger
the logout within 5 minutes, I can logout to the external IDP successfully.
If I do the logout after 5 minutes, I will get this ""Session Not Active"
error. Is this the expected behavior? Do I have to bump up the value of "Access
Token Lifespan" to get a longer session for the logout purpose?
Thanks a lot for the help!
Xiao
_______________________________________________
keycloak-user mailing
listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hathttp://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
5:37 p.m.
This is fixed in master and will be released with 1.9.2 in 1 or 2 weeks.
On 3/21/2016 11:25 AM, Xiao Ma wrote:
Thank you, Bill! I am wondering what is our rough estimate on when
are
going to release 1.9.2.Final.
Best Regards,
Xiao
On Mon, Mar 21, 2016 at 10:26 AM, Bill Burke <bburke(a)redhat.com
<mailto:bburke@redhat.com>> wrote:
I think this is a bug. We probably don't refresh the token that
is obtained by the "child" IDP.
https://issues.jboss.org/browse/KEYCLOAK-2691
On 3/20/2016 10:58 AM, Xiao Ma wrote:
> Hi,
>
> I configured a OIDC identity provider by selecting the |OpenID
> Connect v1.0| identity provider from the drop-down box on the top
> right corner of the identity providers table in Keycloak's Admin
> Console. During the configuration process, I also configure
> "Logout Url" for the IDP logout url.
>
> When I try to logout to the external IDP, the browser is
> redirected to the external IDP to perform the logout. I can see
> some URL as follows:
>
> https://*keycloakdev.xxxxxxx.com
>
<http://keycloakdev.xxxxxxx.com>*/auth/realms/*Internal*/protocol/openi...!
> raAz-YPO
>
cwyvmsOJ23bSrDR3Oa2HZ5JEGzs9IVFyhzQXJuDBCBWcPZl-eNxnxdGkNJBd7Cx03iWsUVUE9NeJYPjeZ5s8rmDtaX38V6JywugWRby5rfSZDLpu7xoGj6a_ZSZEXUfktwCMHS0Jnz_1M778Bmka0TcD1bvIpuqVl4-YQf2P3UZWgxqFQoNDVegZUNuekqUQyJiuRjlQuhITg5tDYfy2DbhkqVsN2gR7mUp21WNx2S5pG5Hb9cXajIVGR6SmW4qKA:
>
> "keycloakdev.xxxxxxx.com <http://keycloakdev.xxxxxxx.com>" is
> where the externalIDP is located. "Internal" is the name of the
> realm. The parameters "state" and "id_token_hint" are
appended to
> the endpoint logout URL automatically during the logout process.
>
> However, this process failed because I got "Session Not Active"
> error in the UI. After some investigations, I found this "Session
> Not Active" error seems to be related to the value of Realm
> Setting —> Tokens —> Access Token Lifespan I configured.
> The default value is 5 minutes, if I trigger the logout within 5
> minutes, I can logout to the external IDP successfully. If I do
> the logout after 5 minutes, I will get this ""Session Not Active"
> error. Is this the expected behavior? Do I have to bump up the
> value of "Access Token Lifespan" to get a longer session for the
> logout purpose?
>
> Thanks a lot for the help!
>
> Xiao
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9:30 a.m.
Thank you very much for the quick help, Bill!
Regards,
Xiao
On Wed, Mar 30, 2016 at 6:37 PM, Bill Burke <bburke(a)redhat.com> wrote:
This is fixed in master and will be released with 1.9.2 in 1 or 2
weeks.
On 3/21/2016 11:25 AM, Xiao Ma wrote:
Thank you, Bill! I am wondering what is our rough estimate on when are
going to release 1.9.2.Final.
Best Regards,
Xiao
On Mon, Mar 21, 2016 at 10:26 AM, Bill Burke <bburke(a)redhat.com> wrote:
> I think this is a bug. We probably don't refresh the token that is
> obtained by the "child" IDP.
>
> https://issues.jboss.org/browse/KEYCLOAK-2691
>
> On 3/20/2016 10:58 AM, Xiao Ma wrote:
>
> Hi,
>
> I configured a OIDC identity provider by selecting the OpenID Connect
> v1.0 identity provider from the drop-down box on the top right corner of
> the identity providers table in Keycloak's Admin Console. During the
> configuration process, I also configure "Logout Url" for the IDP logout
> url.
>
> When I try to logout to the external IDP, the browser is redirected to
> the external IDP to perform the logout. I can see some URL as follows:
>
> https://*keycloakdev.xxxxxxx.com <http://keycloakdev.xxxxxxx.com>*
> /auth/realms/*Internal*/protocol/openid-connect/logout?*state=*
>
a4efbda0-8b98-4169-a369-59e92bc3fac5&*id_token_hint=*eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJjMDY0NWJmZC0yZDhlLTQ1MjQtOWQ5Mi05OGViMDk5MDgxMzUiLCJleHAiOjE0NTgxNDg1ODksIm5iZiI6MCwiaWF0IjoxNDU4MTQ4NTg4LCJpc3MiOiJodHRwczovL2tleWNsb2FrZGV2Lm1hc2VyZ3kuY29tL2F1dGgvcmVhbG1zL0ludGVybmFsIiwiYXVkIjoiZXh0ZXJuYWxfcmVhbG1fYWNjZXNzXzIiLCJzdWIiOiI2ZmNmMDMwMi1jNzE0LTRiZDUtYjdlZS02MjMyODU2YTBlZWUiLCJ0eXAiOiJJRCIsImF6cCI6ImV4dGVybmFsX3JlYWxtX2FjY2Vzc18yIiwic2Vzc2lvbl9zdGF0ZSI6ImY1MWM3MzFkLTJkZWItNGRhZi04YWM3LTQyZDdkYjc1Zjc5YyIsIm5hbWUiOiJYaWFvIE1hIiwicHJlZmVycmVkX3VzZXJuYW1lIjoieG1hIiwiZ2l2ZW5fbmFtZSI6IlhpYW8iLCJHUk9VUFNfRlJPTV9JTlRFUk5BTF9SRUFMTSI6WyIvTk9DIiwiL2xhbmRzY2FwZV9nZW5lcmFsX3VzZXIiXSwiZmFtaWx5X25hbWUiOiJNYSIsImVtYWlsIjoieGlhby5tYUBtYXNlcmd5LmNvbSJ9.BIneKvUpSPq4c32dV5JclWPjtbA0U55u8Pf_C7KDokNMMBKCERHnzIS8-9csBxh8NLJbB_PmApMY0!
> raAz-YPO
>
cwyvmsOJ23bSrDR3Oa2HZ5JEGzs9IVFyhzQXJuDBCBWcPZl-eNxnxdGkNJBd7Cx03iWsUVUE9NeJYPjeZ5s8rmDtaX38V6JywugWRby5rfSZDLpu7xoGj6a_ZSZEXUfktwCMHS0Jnz_1M778Bmka0TcD1bvIpuqVl4-YQf2P3UZWgxqFQoNDVegZUNuekqUQyJiuRjlQuhITg5tDYfy2DbhkqVsN2gR7mUp21WNx2S5pG5Hb9cXajIVGR6SmW4qKA
> :
>
> "keycloakdev.xxxxxxx.com" is where the externalIDP is located.
> "Internal" is the name of the realm. The parameters "state" and
> "id_token_hint" are appended to the endpoint logout URL automatically
> during the logout process.
>
> However, this process failed because I got "Session Not Active" error in
> the UI. After some investigations, I found this "Session Not Active" error
> seems to be related to the value of Realm Setting —> Tokens —> Access
> Token Lifespan I configured. The default value is 5 minutes, if I trigger
> the logout within 5 minutes, I can logout to the external IDP successfully.
> If I do the logout after 5 minutes, I will get this ""Session Not
> Active" error. Is this the expected behavior? Do I have to bump up the
> value of "Access Token Lifespan" to get a longer session for the logout
> purpose?
>
> Thanks a lot for the help!
>
> Xiao
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing
listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> --
> Bill Burke
> JBoss, a division of Red Hathttp://bill.burkecentral.com
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hathttp://bill.burkecentral.com
3187
days inactive
3198
days old
4 comments
2 participants
participants (2)
-
Bill Burke -
Xiao Ma